Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Side channel data leakage applies to data leakage via platform defaults, use of third party libraries, logging, etc. In order to provide the visual iOS has been proven to capture and store snapshots.This occurs when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the applicationPlist is a structured text file that contains essential configuration information for a bundled executable

A PLIST (Property List) file is an XML file that holds application properties. Some applications store sensitive information in the plist files including authentication credentials, PIN and oAUTH tokensPlist files can be found in several location in the application directory . An example location and plist file content storing sensitive authentication credentials are shown on the screen

Web sites and servers sometimes have improperly configured SSL certificates. This causes warning messages which are often ignored by the users. This results in users Phishing attacks where users end up providing personal information and private data to malicious websites that look like legitimate applicationsApplications that fall back or can be forced out of an encrypting mode can also be abused by attackers resulting in insecure communication. This is common on sites that operate on both HTTP and HTTPS services, or by the implementation of older versions of SSL on the web server that are vulnerable to downgrade attacks.

In 2011, it was discovered that Android devices transmitted data and AuthToken session cookie via insecure HTTP. AuthToken is not bound to any session or device and thus would allow an adversary to access any personal data which is made available through the service API. This includes Google calendar, picasa and contact information for that user. For more Reference: http://www.uni-ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.htmlThe issue here is the use of insecure HTTP channel which allows network eavesdropping of the authToken and user data

InsecureData Storage applies to the locally stored data by the mobile applications. There are two types of mobiles apps - native apps and browser based apps. Native apps are apps that is installed in the handset, processes data locally and may connect to the internet for updates or sending user specific information to the server. Example: Gaming apps, News apps, etc. Browser based apps are apps that are accessible via mobile browser. This vulnerability applies to both categories of apps.Most apps stores user specific information on mobile devices. This data may be stored in clear text and may includeUsername and passwordPII, SSN, Health InformationDevice ID, Application configurationAccount Number, Credit Card, Financial Information

Insecure transport layer protection is considered a high risk security vulnerabilityThe impact could includeLoss of Data Confidentiality &amp; Integrity when sensitive information is revealed to the attackerData Tampering when attacker modifies application traffic and force user accept itMan-in-the-Middle (MITM attack) if an attacker diverts all traffic through an insecure channelImpersonation if the attacker hijacks user account

Please make a selection by clicking on the

Disable the auto-correct feature for any sensitive information, not just for password fields. Since the keyboard caches sensitive information, it may be recoverable. For UITextField, look into setting the autocorrectionType property to UITextAutocorrectionNo to disable caching. Set UITextField to OFF to prevent caching altogetherAdd an enterprise policy to clear the keyboard dictionary at regular intervals. This can be done by the end user by simply going to the Settings application, General &gt; Reset &gt; Reset Keyboard Dictionary

28.
Secure Design / Architecture• Do not trust the client. Store sensitive data on the server• Perform server side data validation and canonicalization• Only collect and disclose data which is required for business use of the application• Define and deploy secure configuration• Establish common set of security requirements• Perform periodic security scans and audits• Protect sensitive data using HTTPS & SSL• Do not log credentials, PII and other sensitive data• Review all third party libraries before use 29

34.
Security Issues-MDM• Addresses security of device only• Has little insight into security health of applications• Treats all applications and all data at the same classification level• Difficulties in adoption in corporate environments that allows BYOD• Does not affect or improve the security of applications 35

35.
MAM• MAM solutions allow users and organizations to control the security of specific applications that are deployed on mobile endpoints• MAM can allow an organization to deliver applications like secure email, calendar, expense reporting• Allows security policies to be applied exclusively on specific applications based on their security classification – Encryption, remote wipe, remote application kill etc.. 36

36.
Security Issues-MAM• MAM seems to have the answer for MIM’s security challenges• MAM should solve the BYOD challenges since it allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information• MAM solutions have several challenges: – Rewrite secure versions of vendor applications(functionality challenges) – Allow vendors plug into their security platform – Currently works only an a few apps – Create a wrapper around vendor applications (most vendors will not provide original packaged files to wrap with MAM tools) 37